GSA’s IT Schedule 70 Contract, as of October 1, 2016, includes four new Highly Adaptive Cybersecurity Services (HACS) Special Item Numbers (SINs) as a part of the Cybersecurity National Action Plan (CNAP) implemented by President Obama in February 2016. This presents brand new opportunities for companies offering cybersecurity services to enter a booming market– the federal government is looking to spend $19 billion on cybersecurity in Fiscal Year 2017 alone.
For an understanding of the new SINs and to learn if they are right for your company, have a look at some of the GSA requirements below:
132-45A Penetration Testing
This SIN requires suppliers to mimic real-world attacks through conducting authorized penetration testing. Knowledge areas include but are not limited to penetration testing principles, general attack stages, and the ability to identify systemic security issues based on the analyzed vulnerability data.
132-45B Incident Response
The Incident Response SIN will provide support to organizations impacted by cyberattacks by determining the extent of the incident and restoring networks to a secured state. Tasks include incident command and control, and collection of intrusion assets. Knowledge areas include but are not limited to incident response and intrusion detection techniques and methodologies.
132-45C Cyber Hunt
Cyber Hunt activities, in times of crisis, require that the supplier utilize information and intelligence of known threats, to identify undiscovered attacks and mitigate further attacks by threat actors. Tasks include but are not limited to collecting intrusion artifacts and correlating incident data. Knowledge areas include but are not limited to general attacks stages and incident categories.
As of October 28th, SINs 132-45A and 132-45D have the highest number of approved suppliers, with 19 each. Suppliers include Booz Allen Hamilton, Inc. and SAIC. SINs 132-45B and 132-45C each have 15 listed suppliers.
132-45D Risk and Vulnerability Assessment
Suppliers of Risk Vulnerability Assessments must identify threats and vulnerabilities, assess the level of risk, and develop mitigation recommendations. Tasks include but are not limited to network mapping, vulnerability scanning, and database assessment. Knowledge areas include but are not limited to access management, network protocols, and application security.
Apply for HACS SINs:
According to GSA, companies already providing these services through IT Schedule 70 MUST move them to the new SINs. Importantly, any applicant, including companies already listed as Schedule 70 suppliers, must go through a new process for these cybersecurity services: the oral technical evaluation. For a better understanding of the oral presentation, see the GSA evaluation criteria. If the GSA Technical Evaluation Board approves the evaluation, GSA expects a 7-day turnaround for the SIN modifications.
With a market intelligence tool like EZGovOpps, companies can easily browse the new HACS SINs for full details on required tasks and knowledge, updated lists of HACS SIN contract holders, and any obligated funding.
Don’t forget to view our full GovCon News section for more intel.